Automated Decision Making for Network Defences and Data Protection Dr. Jassim Happa Research Fellow Department of Computer Science University of Oxford [email protected]With thanks to Tom Bashford-Rogers, Alastair Janse van Rensburg, Arnau Erola, Nick Moffat, Martin Helmhout, Ioannis Agrafiotis, Phil Legg, Michael Goldsmith and Sadie Creese.
17
Embed
Automated Decision Making for Network Defences and Data ... › events › artificial... · Automated Network Defences II •Context-driven Automated Network Defence •security posture
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Automated Decision Making for Network Defences and Data Protection
Dr. Jassim HappaResearch FellowDepartment of Computer Science University of [email protected]
With thanks to Tom Bashford-Rogers, Alastair Janse van Rensburg, Arnau Erola, Nick Moffat, Martin Helmhout, Ioannis Agrafiotis, Phil Legg, Michael Goldsmith and Sadie Creese.
• Automation challenges:• Threat detection, responses, ethics and legal compliance
Generator powers buildings
People use buildings
People use machines
Internet
Network relies on Internet infrastructure
Services rely on the Internet
Services are used by people
Machines exist in buildings
Services exist on machines
People maintain generators
Automated Network Defences I
Logs are generated everywhere!
Automated Network Defences II •Context-driven Automated Network Defence
• security posture (description of mission + asset priorities) • known state of assets (e.g. OS, vuln., on/off)• alerts (received/generated)
•Nuanced decision making by using BPMN and a decision-making grammar• Early trials of probabilistic moving targets
RicherPictureCyber Data
Mission Data
External Data
Courses of Actions
Machine Learning Module
Decision System
Visualization Dashboard
BPMN
Network
CVEOSINT
Automated Network Defences III
Video DemoPerformance statistics:- Tested in a simulation with 140,000 netflows per second, generating additional IDS alerts.- Distributed p2p solution.
Purpose of video:- Show how single trees computes decisions
• Distinct PROTECTIVE features:• IDEA, MISP and STIX support• Context Awareness• Data Fusion (Meta Alerts)
• Computational Trust• Run-time monitoring of Information Sharing Compliance
CSIRT
Constituency
CSIRT
Constituency
CSIRT
Constituency
Protective
Node
CSIRT
Constituency
Protective
Node
Protective
Node
Protective
NodeTISharing
PROTECTIVE
Ecosystem
Protective
Node
More info: https://protective-h2020.eu/media/
This project has received funding from the European Union’s Horizon 2020 research and innovation program under grantagreement No 700071. This output reflects the views only of the author(s), and the European Union cannot be held responsiblefor any use which may be made of the information contained therein.
Cyber Threat Intelligence Sharing II
We are running a pilot! If you’re interested in trying the tool, email: [email protected]
• “Data sharing with data protection in mind”• Legal/SOP/NDA Speak and Tech Speak: opposing forces
• Codifying law and NDAs is hard– Requirements are present, but not specifications.– When are “legitimate interests” legitimate?– Language is difficult to process– What is the baseline – i.e. what is “good enough”?
Room for interpretation.E.g. terms like “reasonable”
No room for interpretation.Exact instructions.
Benefits:- Allows for human decision.- Allows for context.Disadvantages:- Slow.- Ambiguous.
Benefits:- Allows for automation.- Allows for large reach.Disadvantages:- False positives/False negatives.- Unintelligent.
Cyber Threat Intelligence Sharing IV
• Expert System - building blocks for:
• Auditing and Enforcement of Compliance.
• Designed with GDPR, NDA, IEP in mind.
• Confidential Information Exchange.
• Decoupled from the main PROTECTIVE tool. Generic Solution.
• Supports any cleartext data format
• Templates of rules. Rules modifiable.
CSIRT
Constituency
CSIRT
Constituency
CSIRT
Constituency
Protective
Node
CSIRT
Constituency
Protective
Node
Protective
Node
Protective
NodeTISharing
PROTECTIVE
Ecosystem
Protective
Node
Cyber Threat Intelligence Sharing V
Open sourced: https://gitlab.com/protective-h2020-eu/protective-node/wikis/home
Performance statistics:- Approx. 2.2ms per alert on typicaldesktop hardware, for roughly 450 alerts per second (~39 million events per day).- Distributed p2p solution, also supports client-server architectures.
Purpose of video:- Show performance and types of fields